github.com/khulnasoft-lab/kube-bench@v0.2.1-0.20240330183753-9df52345ae58/README.md

github.com/khulnasoft-lab/kube-bench@v0.2.1-0.20240330183753-9df52345ae58/README.md (about)

     1  [![GitHub Release][release-img]][release]
     2  [![Downloads][download]][release]
     3  [![Docker Pulls][docker-pull]][docker]
     4  [![Go Report Card][report-card-img]][report-card]
     5  [![Build Status](https://github.com/khulnasoft-lab/kube-bench/workflows/Build/badge.svg?branch=main)](https://github.com/khulnasoft-lab/kube-bench/actions)
     6  [![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://github.com/khulnasoft-lab/kube-bench/blob/main/LICENSE)
     7  [![Coverage Status][cov-img]][cov]
     8  
     9  [download]: https://img.shields.io/github/downloads/khulnasoft-lab/kube-bench/total?logo=github
    10  [release-img]: https://img.shields.io/github/release/khulnasoft-lab/kube-bench.svg?logo=github
    11  [release]: https://github.com/khulnasoft-lab/kube-bench/releases
    12  [docker-pull]: https://img.shields.io/docker/pulls/khulnasoft/kube-bench?logo=docker&label=docker%20pulls%20%2F%20kube-bench
    13  [docker]: https://hub.docker.com/r/khulnasoft/kube-bench
    14  [cov-img]: https://codecov.io/github/khulnasoft-lab/kube-bench/branch/main/graph/badge.svg
    15  [cov]: https://codecov.io/github/khulnasoft-lab/kube-bench
    16  [report-card-img]: https://goreportcard.com/badge/github.com/khulnasoft-lab/kube-bench
    17  [report-card]: https://goreportcard.com/report/github.com/khulnasoft-lab/kube-bench
    18  
    19  <img src="docs/images/kube-bench.png" width="200" alt="kube-bench logo">
    20  
    21  kube-bench is a tool that checks whether Kubernetes is deployed securely by running the checks documented in the [CIS Kubernetes Benchmark](https://www.cisecurity.org/benchmark/kubernetes/).
    22  
    23  Tests are configured with YAML files, making this tool easy to update as test specifications evolve.
    24  
    25  ![Kubernetes Bench for Security](/docs/images/output.png "Kubernetes Bench for Security")
    26  
    27  ## CIS Scanning as part of Tunnel and the Tunnel Operator
    28  
    29  [Tunnel](https://github.com/khulnasoft/tunnel), the all in one cloud native security scanner, can be deployed as a [Kubernetes Operator](https://github.com/khulnasoft/tunnel-operator) inside a cluster.
    30  Both, the [Tunnel CLI](https://github.com/khulnasoft/tunnel), and the [Tunnel Operator](https://github.com/khulnasoft/tunnel-operator) support CIS Kubernetes Benchmark scanning among several other features.
    31  
    32  ## Quick start
    33  
    34  There are multiple ways to run kube-bench.
    35  You can run kube-bench inside a pod, but it will need access to the host's PID namespace in order to check the running processes, as well as access to some directories on the host where config files and other files are stored.
    36  
    37  The supplied `job.yaml` [file](job.yaml) can be applied to run the tests as a job. For example:
    38  
    39  ```bash
    40  $ kubectl apply -f job.yaml
    41  job.batch/kube-bench created
    42  
    43  $ kubectl get pods
    44  NAME                      READY   STATUS              RESTARTS   AGE
    45  kube-bench-j76s9   0/1     ContainerCreating   0          3s
    46  
    47  # Wait for a few seconds for the job to complete
    48  $ kubectl get pods
    49  NAME                      READY   STATUS      RESTARTS   AGE
    50  kube-bench-j76s9   0/1     Completed   0          11s
    51  
    52  # The results are held in the pod's logs
    53  kubectl logs kube-bench-j76s9
    54  [INFO] 1 Master Node Security Configuration
    55  [INFO] 1.1 API Server
    56  ...
    57  ```
    58  For more information and different ways to run kube-bench see [documentation](docs/running.md)
    59  ### Please Note
    60  
    61  1. kube-bench implements the [CIS Kubernetes Benchmark](https://www.cisecurity.org/benchmark/kubernetes/) as closely as possible. Please raise issues here if kube-bench is not correctly implementing the test as described in the Benchmark. To report issues in the Benchmark itself (for example, tests that you believe are inappropriate), please join the [CIS community](https://cisecurity.org).
    62  
    63  1. There is not a one-to-one mapping between releases of Kubernetes and releases of the CIS benchmark. See [CIS Kubernetes Benchmark support](docs/platforms.md#cis-kubernetes-benchmark-support) to see which releases of Kubernetes are covered by different releases of the benchmark.
    64  
    65  
    66  By default, kube-bench will determine the test set to run based on the Kubernetes version running on the machine.
    67  - see the following documentation on [Running kube-bench](docs/running.md#running-kube-bench) for more details.
    68  
    69  
    70  ## Contributing
    71  Kindly read [Contributing](CONTRIBUTING.md) before contributing. 
    72  We welcome PRs and issue reports.
    73  
    74  ## Roadmap
    75  
    76  Going forward we plan to release updates to kube-bench to add support for new releases of the CIS Benchmark. Note that these are not released as frequently as Kubernetes releases.